Planning for Active Directory Forest Recovery

Microsoft Corporation

First published: October 2006

Updated and republished: May 2009, March 2010, Feb 2011, May 2011, Sept 2011, April 2013

AbstractThis guide contains best-practice recommendations for recovering an Active Directory® forest if forest-wide failure renders all domain controllers in the forest incapable of functioning normally. The steps, which you must customize for your particular environment, describe how to recover the entire Active Directory forest to a point in time before the critical malfunction. They also ensure that none of the restored domain controllers replicate from a domain controller with potentially dangerous data.

The steps in this guide apply to Active Directory forests where the domain controllers run Microsoft® Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 operating systems.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2006-2013 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

ContentsPlanning for Active Directory Forest Recovery................................................................................5

Publication and revision history...................................................................................................5

New Features, Assumptions, and Prerequisites for Using This Guide for Planning Active Directory Forest Recovery.......................................................................................................................... 6Using virtualized domain controller cloning in Windows Server 2012 to expedite forest recovery

................................................................................................................................................. 6Assumptions for Using This Guide for Planning Active Directory Forest Recovery.....................7Prerequisites for Using This Guide for Planning Active Directory Forest Recovery.....................7

Devising a Custom Forest Recovery Plan......................................................................................8

Recovering Your Active Directory Forest.........................................................................................8Identify the problem..................................................................................................................... 9Decide how to recover the forest...............................................................................................10

Determining which backups to use.........................................................................................11Determining which domain controllers to restore...................................................................12Identify the current forest structure and DC functions............................................................13Recover the forest in isolation................................................................................................15

Perform initial recovery..............................................................................................................16Restore the first writeable domain controller in each domain.................................................16Reconnect each restored writeable domain controller to a common network........................20Add the global catalog to a domain controller in the forest root domain.................................21

Redeploy remaining DCs...........................................................................................................21Cleanup..................................................................................................................................... 23

Appendix A: Forest Recovery Procedures....................................................................................23Backing up a full server.............................................................................................................24Backing up the System State data.............................................................................................25

Backing up the System State data.........................................................................................25Performing a full server recovery...............................................................................................27Performing an authoritative synchronization of DFSR-replicated SYSVOL...............................28Performing a nonauthoritative restore of Active Directory Domain Services..............................29

Performing a nonauthoritative restore....................................................................................29Configuring the DNS Server service..........................................................................................30

Install and configure the DNS Server service.........................................................................30Removing the global catalog.....................................................................................................31Raising the value of available RID pools...................................................................................31Invalidating the current RID pool...............................................................................................33Seizing an operations master role.............................................................................................34

Cleaning metadata of removed writable domain controllers......................................................35Deleting a domain controller using Active Directory Users and Computers...........................35

Resetting the computer account password of the domain controller.........................................36Resetting the krbtgt password...................................................................................................37Resetting a trust password on one side of the trust...................................................................37Adding the global catalog..........................................................................................................38Resources to verify replication is working..................................................................................40

Appendix B: Frequently Asked Questions.....................................................................................40What can I do to speed up recovery?........................................................................................41Can I automate the forest recovery process?............................................................................42

Appendix C: Recovering a Single Domain within a Multidomain Forest........................................43Rehost all GCs.......................................................................................................................... 43Remove lingering objects..........................................................................................................43

Appendix D: Forest Recovery with Windows Server 2003 Domain Controllers............................44Backing up the System State data.............................................................................................44Performing a nonauthoritative restore.......................................................................................45Install and configure the DNS Server service............................................................................46

Additional Resources.................................................................................................................... 47

Planning for Active Directory Forest RecoveryThis guide contains best-practice recommendations for recovering an Active Directory® forest if forest-wide failure renders all domain controllers (DCs) in the forest incapable of functioning normally. The steps it contains serve as a template for your forest recovery plan, which you can customize for your particular environment. These steps apply to DCs that run Microsoft® Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 operating systems.

Procedures that are unique for DCs that run Windows Server 2003 are consolidated in Appendix C.

In this guide New Features, Assumptions, and Prerequisites for Using This Guide for Planning Active

Directory Forest Recovery Devising a Custom Forest Recovery Plan Recovering Your Active Directory Forest Appendix A: Forest Recovery Procedures Appendix B: Frequently Asked Questions Appendix C: Recovering a Single Domain within a Multidomain Forest Appendix D: Forest Recovery with Windows Server 2003 Domain Controllers Additional Resources

Publication and revision historyThe following table summarizes the revision history for this guide, including its original publication on Microsoft TechNet.

Date Revision

April 2013 Updated to reflect new features in Windows Server 2012.

May 2009 Updated to reflect new features in Windows Server 2008.

October 2006 Updated for Windows Server 2003 and published on TechNet

June 2002 Original publication on Microsoft Download Center

Note

5

New Features, Assumptions, and Prerequisites for Using This Guide for Planning Active Directory Forest RecoveryThis topic describes how the new virtualized domain controller cloning feature in Windows Server 2012 improves the forest recovery process and other issues to review before you use the guidelines.

Using virtualized domain controller cloning in Windows Server 2012 to expedite forest recovery

Assumptions for Using This Guide for Planning Active   Directory Forest Recovery Prerequisites for Using This Guide for Planning Active   Directory Forest Recovery

Using virtualized domain controller cloning in Windows Server 2012 to expedite forest recoveryVirtualized domain controller (DC) cloning simplifies and expedites the process for installing additional virtualized DCs in a domain, especially in centralized locations such as datacenters where several DCs run on hypervisors. After you restore one virtual DC in each domain from backup, additional DCs in each domain can be rapidly brought online by using the virtualized DC cloning process. You can prepare the first virtualized DC that you recover, shut it down, and then copy that virtual hard disk as many times as is necessary in order to create cloned virtualized DCs to build out the domain.

The requirements for virtualized DC cloning are:

The hypervisor must support VM-GenerationID. Hyper-V in Windows Server 2012 and Windows 8 is an example of a hypervisor that supports VM-GenerationID. Check with your hypervisor vendor if VM-GenerationID is supported.

The virtualized DC that is used as a source for cloning must run Windows Server 2012 and be a member of the Cloneable Domain Controllers group.

The PDC emulator must run Windows Server 2012. You can clone PDC emulator if it is virtualized.

For step-by-step instructions about how to perform virtualized DC cloning, see Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100). For details about how virtualized DC cloning works, see Virtualized Domain Controller Technical Reference (Level 300).

Assumptions for Using This Guide for Planning Active Directory Forest RecoveryFirst, this guide assumes that you have:

6

Worked with Microsoft Support to determine the cause of the forest-wide failure. This guide does not suggest a cause of the failure or recommend any procedures to prevent the failure.

Evaluated any possible remedies. Concluded, in consultation with Microsoft Support, that restoring the whole forest to its state

before the failure occurred is the best way to recover from the failure. In many cases, forest recovery should be the last option.

Second, this guide assumes that you have followed the Microsoft best-practice recommendations for using Active Directory–integrated Domain Name System (DNS). Specifically, there should be an Active Directory–integrated DNS zone for each Active Directory domain. If this is not the case, you can still use the basic principles of this guide to perform forest recovery. However, you will need to take specific measures for DNS recovery based on your own environment. For more information about using Active Directory–integrated DNS, see Designing a DNS Infrastructure to Support Active   Directory .

Although the objectives of this guide are to recover the forest and maintain or restore full DNS functionality, recovery can result in a DNS configuration that is changed from the configuration before the failure. After the forest is recovered, you can revert to the original DNS configuration. The recommendations in this guide do not describe how to configure DNS servers to perform name resolution of other portions of the corporate namespace where there are DNS zones that are not stored in AD DS.

Finally, although this guide is intended as a generic guide for forest recovery, not all possible scenarios are covered. For instance, beginning with Windows Server 2008, there is a Server Core version, which is a full version of Windows Server but without a full GUI. Although it is certainly possible to recover a forest consisting of just DCs that run Server Core, this guide has no detailed instructions. However, based on the guidance discussed here you will be able to design the required command-line actions yourself.

Prerequisites for Using This Guide for Planning Active Directory Forest RecoveryBefore you begin planning for recovery of an Active Directory forest, you should be familiar with the following:

Fundamental Active Directory concepts The importance of operations master roles (also known as flexible single master operations

or FSMO). These roles include the following: Schema master Domain naming master Relative ID (RID) master Primary domain controller (PDC) emulator master Infrastructure master

7

In addition, you should have backed up and restored AD DS and SYSVOL in a lab environment on a regular basis. For more information, see Backing up the System State data and Performing a nonauthoritative restore of Active   Directory Domain Services .

Devising a Custom Forest Recovery PlanDepending on your environment and business requirements, you might or might not need to perform all the steps described in this guide to perform a successful forest recovery. Given that this guide serves only as a template for forest recovery, it is vital that you devise a custom forest recovery plan that suits your environment and meets your business needs.

For example, in your forest recovery plan, you should have a detailed topology map of your forests. The map should list all the information about the DCs, such as their names, their roles and backup status, and the trust relationships between them. For a tool that you can use to create a topology map, see Microsoft Active Directory Topology Diagrammer.

You should practice your forest recovery plan at least once a year. Also, it is a good idea to perform a forest recovery drill when there are membership changes to the Enterprise Admins or Domain Admins group. This helps ensure that your information technology (IT) staff fully understands the forest recovery plan.

Recovering Your Active Directory ForestThis section provides an overview of the recommended path for recovering a forest. The forest recovery steps are described in detail later.

The following list summarizes the recovery steps at a high level:

1. Identify the problem

Work with IT and Microsoft Support to determine the scope of the problem and potential causes, and evaluate possible remedies with all business stakeholders. In many cases total forest recovery should be the last option.

2. Decide how to recover the forest

After you determine that forest recovery is necessary, complete preliminary steps to prepare for it: determine the current forest structure, identify the functions that each DC performs, decide which DC to restore for each domain, and ensure that all writeable DCs are taken offline.

3. Perform initial recovery

In isolation, recover one DC for each domain, clean them, and reconnect the domains. Reset privileged accounts, and rectify problems caused by security breaches in this phase.

4. Redeploy remaining DCs

8

Redeploy the forest to return it to its state before the failure. This step will need to be adapted to your specific design and requirements. Virtualized domain controller cloning can help expedite this process.

5. Cleanup

After functionality has been restored, reconfigure name resolution as needed, and get LOB applications working.

The following flowchart shows the recovery process.

The steps in this guide are designed to minimize the possibility of reintroducing dangerous data into the recovered forest. You might have to modify these steps to account for such factors as:

Scalability Remote manageability Speed of recovery

However, modifications to these forest recovery steps can increase the risk of reintroducing dangerous data. For more information about possible modifications to these forest recovery steps, see What can I do to speed up recovery?

Identify the problemWhen symptoms of a forest-wide failure appear, such as in event logs or other monitoring solutions, work with Microsoft Support to determine the cause of the failure, and evaluate any possible remedies.

Examples of forest-wide failures include the following:

All DCs have been logically corrupted or physically damaged to a point that business continuity is impossible; for example, all business applications that depend on AD DS are nonfunctional.

A rogue administrator has compromised the Active Directory environment.

9

An attacker intentionally—or an administrator accidentally—runs a script that spreads data corruption across the forest.

An attacker intentionally—or an administrator accidentally—extends the Active Directory schema with malicious or conflicting changes.

An attacker has managed to install malicious software on DCs, and you have been advised by Microsoft Support to recover the forest from backup.

This paper does not cover security recommendations about how to recover a forest that has been hacked or compromised. In general, it is recommended to follow Pass-the-Hash mitigation techniques to harden the environment. For more information, see Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.

None of the DCs can replicate with their replication partners. Changes cannot be made to AD DS at any domain controller. New DCs cannot be installed in any domain.

Decide how to recover the forestRecovering an entire Active Directory forest involves either restoring it from backup or reinstalling Active Directory Domain Services (AD DS) on every domain controller (DC) in the forest. Recovering the forest restores each domain in the forest to its state at the time of the last trusted backup. Consequently, the restore operation will result in the loss of at least the following Active Directory data:

All objects (such as users and computers) that were added after the last trusted backup All updates that were made to existing objects since the last trusted backup All changes that were made to either the configuration partition or the schema partition in

AD DS (such as schema changes) since the last trusted backup

For each domain in the forest, the password of a Domain Admin account must be known. Preferably, this is the password of the built-in Administrator account, which must not be disabled. You must also know the DSRM password to perform a system state restore of a DC. In general, it is a good practice to archive the Administrator account and DSRM password history in a safe place for as long as the backups are valid, that is, within the tombstone lifetime period or within the deleted object lifetime period if Active Directory Recycle Bin is enabled. You can also synchronize the DSRM password with a domain user account in order to make it easier to remember. For more information, see KB article 961320. Synchronizing the DSRM account must be done in advance of the forest recovery, as part of preparation.

The Administrator account is a member of the built-in Administrators group by default, as are the Domain Admins and Enterprise Admins groups. This group has full control of all DCs in the domain.

Determining which backups to useBack up at least two writeable DCs for each domain regularly so you have several backups to choose from. Note that you cannot use the backup of a read-only domain controller (RODC) to

Important Note

10

restore a writeable DC. We recommend that you restore the DCs by using backups that were taken a few days before the occurrence of the failure. In general, you must determine a tradeoff between the recentness and the safeness of the restored data. Choosing a more recent backup recovers more useful data, but it might increase the risk of reintroducing dangerous data into the restored forest.

Restoring system state backups depends on the original operating system and server of the backup. For example, you should not restore a system state backup to a different server. In this case, you may see the following warning:

“The specified backup is of a different server than the current one. We do not recommend performing a system state recovery with the backup to an alternate server because the server might become unusable. Are you sure you want to use this backup for recovering the current server?”

If you need to restore Active Directory to different hardware, create full server backups and plan to perform a full server recovery.

Beginning with Windows Server 2008, it is not supported to restore system state backup to a new installation of Windows Server on new hardware or the same hardware. If Windows Server is reinstalled on the same hardware, as recommended later in this guide, then you can restore the domain controller in this order:

1. Perform a full server restore in order to restore the operating system and all files and applications.

2. Perform a system state restore using wbadmin.exe in order to mark SYSVOL as authoritative.

For more information, see Microsoft KB article 249694.

If the time of the occurrence of the failure is unknown, investigate further to identify backups that hold the last safe state of the forest. This approach is less desirable. Therefore, we strongly recommend that you keep detailed logs about the health state of AD DS on a daily basis so that, if there is a forest-wide failure, the approximate time of failure can be identified. You should also keep a local copy of backups to enable faster recovery.

If Active Directory Recycle Bin is enabled, the backup lifetime is equal to the deletedObjectLifetime value or the tombstoneLifetime value, whichever is less. For more information, see Active   Directory Recycle Bin Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=178657).

As an alternative, you can also use the Active Directory database mounting tool (Dsamain.exe) and a Lightweight Directory Access Protocol (LDAP) tool, such as Ldp.exe or Active Directory Users and Computers, to identify which backup has the last safe state of the forest. The Active Directory database mounting tool, which is included in Windows Server 2008 and later Windows Server operating systems, exposes Active Directory data that is stored in backups or snapshots as an LDAP server. Then, you can use an LDAP tool to browse the data. This approach has the advantage of not requiring you to restart any DC in Directory Services Restore Mode (DSRM) to examine the contents of the backup of AD DS.

For more information about using the Active Directory database mounting tool, see the Active   Directory Database Mounting Tool Step-by-Step Guide .

Important

11

You can also use the ntdsutil snapshot command to create snapshots of the Active Directory database. By scheduling a task to periodically create snapshots, you can obtain additional copies of the Active Directory database over time. You can use these copies to better identify when the forest-wide failure occurred and then choose the best backup to restore. To create snapshots, use the version of ntdsutil that ships with Windows Server 2008 or the Remote Server Administration Tools (RSAT) for Windows Vista or later. The target DC can run any version of Windows Server. For more information about using the ntdsutil snapshot command, see Snapshot.

Determining which domain controllers to restoreEase of the restore process is an important factor when deciding which domain controller to restore. It is recommended to have a dedicated DC for each domain that is the preferred DC for a restore. A dedicated restore DC makes it easier to reliably plan and execute the forest recovery because you use the same source configuration that was used to perform restore tests. You can script the recovery, and not contend with different configurations, such as whether the DC holds operations master roles or not, or whether it is a GC or DNS server or not.

While it is not recommended to restore an operations master role holder in the interest of simplicity, some organizations may choose to restore one for other advantages. For example restoring the RID master may help prevent problems with managing RIDs during the recovery.

Choose a DC that best meets the following criteria:

A DC that is writeable. This is mandatory. A DC running Windows Server 2012 as a virtual machine on a hypervisor that supports VM-

GenerationID. This DC can be used as a source for cloning. A DC that is accessible, either physically or on a virtual network, and preferably located in a

datacenter. This way, you can easily isolate it from the network during forest recovery. A DC that has a good full server backup. A good backup is a backup that can be restored

successfully, was taken a few days before the failure, and contains as much useful data as possible.

A DC that was a Domain Name System (DNS) server before the failure. This saves the time required to reinstall DNS.

If you also use Windows Deployment Services, choose a DC that is not configured to use BitLocker Network Unlock. In this case, BitLocker Network Unlock is not supported to be used for the first DC that you restore from backup during a forest recovery.

BitLocker Network Unlock as the only key protector cannot be used on DCs where you have deployed Windows Deployment Services (WDS) because doing so results in a scenario where the first DC requires Active Directory and WDS to be working in order to unlock. But before you restore the first DC, Active Directory is not yet available for WDS, so it cannot unlock.

To determine if a DC is configured to use BitLocker Network Unlock, check that a Network Unlock certificate is identified in the following registry key:

Note

12

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP

Maintain security procedures when handling or restoring backup files that include Active Directory. The urgency that accompanies forest recovery can unintentionally lead to overlooking security best practices. For more information, see the section titled “Establishing Domain Controller Backup and Restore Strategies” in Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part II.

Identify the current forest structure and DC functionsDetermine the current forest structure by identifying all the domains in the forest. Make a list of all of the DCs in each domain, particularly the DCs that have backups, and virtualized DCs which can be a source for cloning. A list of DCs for the forest root domain will be the most important because you will recover this domain first. After you restore the forest root domain, you can obtain a list of the other domains, DCs, and the sites in the forest by using Active Directory snap-ins.

Prepare a table that shows the functions of each DC in the domain, as shown in the following example. This will help you revert back to the pre-failure configuration of the forest after recovery.

DC name Operating system

FSMO GC RODC Backup DNS Server Core

VM VM-GenID

DC_1 Windows Server 2012

Schema master, Domain naming master

Yes No Yes No No Yes Yes

DC_2 Windows Server 2012

None Yes No Yes Yes No Yes Yes

DC_3 Windows Server 2012

Infrastructure Master

No No No Yes Yes Yes Yes

DC_4 Windows Server 2012

PDC emulator, RID Master

Yes No No No No Yes No

DC_5 Windows Server 2012

None No No Yes Yes No Yes Yes

RODC_1 Windows Server 2008 R2

None Yes Yes Yes Yes Yes Yes No

RODC_2 Windows Server 2008

None Yes Yes No Yes Yes Yes No

13

For each domain in the forest, identify a single writeable DC that has a trusted backup of the Active Directory database for that domain. Use caution when you choose a backup to restore a DC. If the day and cause of the failure are approximately known, the general recommendation is to use a backup that was made a few days before that date.

In this example, there are four backup candidates: DC_1, DC_2, DC_4, and DC_5. Of these backup candidates, you restore only one. The recommended DC is DC_5 for the following reasons:

It satisfies requirements for using it as a source for virtualized DC cloning, that is, it runs Windows Server 2012 as a virtual DC on a hypervisor that supports VM-GenerationID, runs software that is allowed to be cloned (or that can be removed if it is not able to be cloned). After the restore, the PDC emulator role will be seized to that server and it can be added to the Cloneable Domain Controllers group for the domain.

It runs a full installation of Windows Server 2012. A DC that runs a Server Core installation can be less convenient as a target for recovery.

It is a DNS server. Therefore, DNS does not have to be reinstalled.

Because DC_5 is not a global catalog server, it also has an advantage in that the global catalog does not need to be removed after the restore. But whether or not the DC is also a global catalog server is not a decisive factor because beginning with Windows Server 2012, all DCs are global catalog servers by default, and removing and adding the global catalog after the restore is recommended as part of the forest recovery process in any case.

Recover the forest in isolationThe preferred scenario is to shut down all writeable DCs before the first restored DC is brought back into production. This ensures that any dangerous data does not replicate back into the recovered forest. It is particularly important to shut down all operations master role holders.

There may be cases where you move the first DC that you plan to recover for each domain to an isolated network while allowing other DCs to remain online in order to minimize system downtime. For example, if you are recovering from a failed schema upgrade, you may choose to keep domain controllers running on the production network while you perform recovery steps in isolation.

If you are running virtualized DCs, you can move them to a virtual network that is isolated from the production network where you will perform recovery. Moving virtualized DCs to a separate network provides two benefits:

Recovered DCs are prevented from reoccurrence of the problem that caused the forest recovery because they are isolated.

Virtualized DC cloning can be performed on the separate network so that a critical number of DCs can be running and tested before they are brought back to the production network.

If you are running DCs on physical hardware, disconnect the network cable of the first DC that you plan to restore in the forest root domain. If possible, also disconnect the network cables of all

Note Note

14

other DCs. This prevents DCs from replicating, if they are accidentally started during the forest recovery process.

In a large forest that is spread across multiple locations, it can be difficult to guarantee that all writeable DCs are shut down. For this reason, the recovery steps—such as resetting the computer account and krbtgt account, in addition to metadata cleanup—are designed to ensure that the recovered writeable DCs do not replicate with dangerous writeable DCs (in case some are still online in the forest).

However, only by taking writeable DCs offline can you guarantee that replication does not occur. Therefore, whenever possible, you should deploy remote management technology that can help you to shut down and physically isolate the writeable DCs during forest recovery.

RODCs can continue to operate while writeable DCs are offline. No other DC will directly replicate any changes from any RODC—especially, no Schema or Configuration container changes—so they do not pose the same risk as writeable DCs during recovery. After all the writeable DCs are recovered and online, you should rebuild all the RODCs.

RODCs will continue to allow access to local resources that are cached in their respective sites while the recovery operations are going on in parallel. Local resources that are not cached on the RODC will have authentication requests forwarded to a writeable DC. These requests will fail because writeable DCs are offline. Some operations such as password changes will also not work until you recover writeable DCs.

If you are using a hub-and-spoke network architecture, you can concentrate first on recovering the writeable DCs in the hub sites. Later, you can rebuild the RODCs in remote sites.

Perform initial recoveryThis section includes the following steps:

Restore the first writeable domain controller in each domain Reconnect each restored writeable domain controller to a common network Add the global catalog to a domain controller in the forest root domain

Restore the first writeable domain controller in each domainBeginning with a writeable DC in the forest root domain, complete the steps in this section in order to restore the first DC. The forest root domain is important because it stores the Schema Admins and Enterprise Admins groups. It also helps maintain the trust hierarchy in the forest. In addition, the forest root domain usually holds the DNS root server for the forest’s DNS namespace. Consequently, the Active Directory–integrated DNS zone for that domain contains the alias (CNAME) resource records for all other DCs in the forest (which are required for replication) and the global catalog DNS resource records.

After you recover the forest root domain, repeat the same steps to recover the remaining domains in the forest. You can recover more than one domain simultaneously; however, always recover a parent domain before recovering a child to prevent any break in the trust hierarchy or DNS name resolution.

15

For each domain that you recover, restore only one writeable DC from backup. This is the most important part of the recovery because the DC must have a database that has not been influenced by whatever caused the forest to fail. It is important to have a trusted backup that is thoroughly tested before it is introduced into the production environment.

Then perform the following steps. Procedures for performing certain steps are in Appendix A: Forest Recovery Procedures.

1. If you plan to restore a physical server, ensure that the network cable of the target DC is not attached and therefore is not connected to the production network. For a virtual machine, you can remove the network adapter or use a network adapter that is attached to another network where you can test the recovery process while isolated from the production network.

2. Because this is the first writeable DC in the domain, you must perform a nonauthoritative restore of AD DS and an authoritative restore of SYSVOL. The restore operation must be completed by using an Active Directory-aware backup and restore application, such as Windows Server Backup (that is, you should not restore the DC by using unsupported methods such as restoring a VM snapshot).

An authoritative restore of SYSVOL is required because replication of the SYSVOL replicated folder must be started after you recover from a disaster. All subsequent DCs that are added in the domain must resynchronize their SYSVOL folder with a copy of the folder that has been selected to be authoritative before the folder can be advertised.

Perform an authoritative (or primary) restore operation of SYSVOL only for the first DC to be restored in the forest root domain. Incorrectly performing primary restore operations of the SYSVOL on other DCs leads to replication conflicts of SYSVOL data.

There are two options perform a nonauthoritative restore of AD DS and an authoritative restore of SYSVOL:

Perform a full server recovery and then then force an authoritative synchronization of SYSVOL. For detailed procedures, see Performing a full server recovery and Perform an authoritative synchronization of DFSR-replicated SYSVOL.

Perform a full server recovery followed by a system state restore. This option requires that you create both types of backups in advance: a full server backup and a system state backup. For detailed procedures, see Performing a full server recovery and Performing a nonauthoritative restore of Active   Directory Domain Services .

3. After you restore and restart the writeable DC, verify that the failure did not affect the data on the DC. If the DC data is damaged, then repeat step 2 with a different backup.

If the restored domain controller hosts an operations master role, you may need to add the following registry entry to avoid AD DS being unavailable until it has completed replication of a writeable directory partition:

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial SynchronizationsCreate the entry with the data type REG_DWORD and a value of 0. After the forest is recovered completely, you can reset the value of this entry to 1, which requires a domain controller that restarts and holds operations master roles to have successful AD DS inbound

Caution

16

and outbound replication with its known replica partners before it advertises itself as domain controller and starts providing services to clients. For more information about initial synchronization requirements, see KB article 305476.

Continue to the next steps only after you restore and verify the data and before you join this computer to the production network.

4. If you suspect that the forest-wide failure was related to network intrusion or malicious attack, reset the account passwords for all administrative accounts, including members of the Enterprise Admins, Domain Admins, Schema Admins, Server Operators, Account Operators groups, and so on. The reset of administrative account passwords should be completed before additional domain controllers are installed during the next phase of the forest recovery.

5. On the first restored DC in the forest root domain, seize all domain-wide and forest-wide operations master roles. Enterprise Admins and Schema Admins credentials are needed to seize forest-wide operations master roles.

In each child domain, seize domain-wide operations master roles. Although you might retain the operations master roles on the restored DC only temporarily, seizing these roles assures you regarding which DC hosts them at this point in the forest recovery process. As part of your post-recovery process, you can redistribute the operations master roles as needed. For more information about seizing operations master roles, see Seizing an operations master role. For recommendations about where to place operations master roles, see What Are Operations Masters?.

6. Clean up metadata of all other writeable DCs in the forest root domain that you are not restoring from backup (all writeable DCs in the domain except for this first DC). If you use the version of Active Directory Users and Computers or Active Directory Sites and Services that is included with Windows Server 2008 or later or RSAT for Windows Vista or later, metadata cleanup is performed automatically when you delete a DC object. In addition, the server object and computer object for the deleted DC are also deleted automatically. For more information, see Cleaning metadata of removed writable DCs.

Cleaning up metadata prevents possible duplication of NTDS-settings objects if AD DS is installed on a DC in a different site. Potentially, this could also save the Knowledge Consistency Checker (KCC) the process of creating replication links when the DCs themselves might not be present. Moreover, as part of metadata cleanup, DC Locator DNS resource records for all other DCs in the domain will be deleted from DNS.

Until the metadata of all other DCs in the domain is removed, this DC, if it were a RID master before recovery, will not assume the RID master role and therefore will not be able to issue new RIDs. You might see event ID 16650 in the System log in Event Viewer indicating this failure, but you should see event ID 16648 indicating success a little while after you have cleaned the metadata.

7. If you have DNS zones that are stored in AD DS, ensure that the local DNS Server service is installed and running on the DC that you have restored. If this DC was not a DNS server before the forest failure, you must install and configure the DNS server.

If the restored DC runs Windows Server 2008, you need to install the hotfix in KB article 975654 or connect the server to an isolated network temporarily in order to

Note

17

install DNS server. The hotfix is not required for any other versions of Windows Server.

In the forest root domain, configure the restored DC with its own IP address (or a loopback address, such as 127.0.0.1) as its preferred DNS server. You can configure this setting in the TCP/IP properties of the local area network (LAN) adapter. This is the first DNS server in the forest. For more information, see Configure TCP/IP to use DNS.

In each child domain, configure the restored DC with the IP address of the first DNS server in the forest root domain as its preferred DNS server. You can configure this setting in the TCP/IP properties of the LAN adapter. For more information, see Configure TCP/IP to use DNS.

In the _msdcs and domain DNS zones, delete NS records of DCs that no longer exist after metadata cleanup. Check if the SRV records of the cleaned up DCs have been removed. To help speed up DNS SRV record removal, run:

nltest.exe /dsderegdns:server.domain.tld

8. Raise the value of the available RID pool by 100,000. For more information, see Raising the value of available RID pools. If you have reason to believe that raising the RID Pool by 100,000 is insufficient for your particular situation, you should determine the lowest increase that is still safe to use. RIDs are a finite resource that should not be used up needlessly.

If new security principals were created in the domain after the time of the backup that you use for the restore, these security principals might have access rights on certain objects. These security principals no longer exist after recovery because the recovery has reverted to the backup; however, their access rights might still exist. If the available RID pool is not raised after a restore, new user objects that are created after the forest recovery might obtain identical security IDs (SIDs) and could have access to those objects, which was not originally intended.

To illustrate, consider the example of the new employee named Amy that was mentioned in the introduction. The user object for Amy no longer exists after the restore operation because it was created after the backup that was used to restore the domain. However, any access rights that were assigned to that user object might persist after the restore operation. If the SID for that user object is reassigned to a new object after the restore operation, the new object would obtain those access rights.

9. Invalidate the current RID pool. The current RID pool is invalidated after a system state restore. But if a system state restore was not performed, the current RID pool needs to be invalidated to prevent the restored DC from re-issuing RIDs from the RID pool that was assigned at the time the backup was created. For more information, see Invalidating the current RID pool.

The first time that you attempt to create an object with a SID after you invalidate the RID pool you will receive an error. The attempt to create an object triggers a request for a new RID pool. Retry of the operation succeeds because the new RID pool will be allocated.

10. Reset the computer account password of this DC twice. For more information, see Resetting the computer account password of the domain controller.

Note

18

11. Reset the krbtgt password twice. For more information, see Resetting the krbtgt password.

Because the krbtgt password history is two passwords, reset passwords twice to remove the original (prefailure) password from password history.

If the forest recovery is in response to a security breach, you may also reset the trust passwords. For more information, see Resetting a trust password on one side of the trust.

12. If the forest has multiple domains and the restored DC was a global catalog server before the failure, clear the Global catalog check box in the NTDS Settings properties to remove the global catalog from the DC. The exception to this rule is the common case of a forest with just one domain. In this case, it is not required to remove the global catalog. For more information, see Removing the global catalog.

By restoring a global catalog from a backup that is more recent than other backups that are used to restore DCs in other domains, you might introduce lingering objects. Consider the following example. In domain A, DC1 is restored from a backup that was taken at time T1. In domain B, DC2 is restored from a global catalog backup that was taken at time T2. Suppose T2 is more recent than T1, and some objects were created between T1 and T2. After these DCs are restored, DC2, which is a global catalog, holds newer data for domain A's partial replica than domain A holds itself. DC2, in this case, holds lingering objects because these objects are not present on DC1.

The presence of lingering objects can lead to problems. For instance, e-mail messages might not be delivered to a user whose user object was moved between domains. After you bring the outdated DC or global catalog server back online, both instances of the user object appear in the global catalog. Both objects have the same e-mail address; therefore, e-mail messages cannot be delivered.

A second problem is that a user account that no longer exists might still appear in the global address list. A third problem is that a universal group that no longer exists might still appear in a user's access token.

If you did restore a DC that was a global catalog—either inadvertently or because that was the solitary backup that you trusted—we recommend that you prevent the occurrence of lingering objects by disabling the global catalog soon after the restore operation is complete. Disabling the global catalog flag will result in the computer losing all its partial replicas (partitions) and relegating itself to regular DC status.

13. Configure Windows Time Service. In the forest root domain, configure the PDC emulator to synchronize time from an external time source. For more information, see Configure the Windows Time service on the PDC emulator in the Forest Root Domain.

Reconnect each restored writeable domain controller to a common networkAt this stage you should have one DC restored (and recovery steps performed) in the forest root domain and in each of the remaining domains. Join these DCs to a common network that is

Note

19

isolated from the rest of the environment and complete the following steps in order to validate forest health and replication.

When you join the physical DCs to an isolated network, you may need to change their IP addresses. As a result, the IP addresses of DNS records will be wrong. Because a global catalog server is not available, secure dynamic updates for DNS will fail. Virtual DCs are more advantageous in this case because they can be joined to a new virtual network without changing their IP addresses. This is one reason why virtual DCs are recommended as the first domain controllers to be restored during forest recovery.

After validation, Join the DCs to the production network and complete the steps to verify forest replication health.

To fix name resolution, create DNS delegation records and configure DNS forwarding and root hints as needed. Run repadmin /replsum to check replication between DCs.

If the restored DC’s are not direct replication partners, replication recovery will be much faster by creating temporary connection objects between them.

To validate metadata cleanup, run Repadmin /viewlist * for a list of all DCs in the forest. Run Nltest /DCList: <domain> for a list of all DCs in the domain.

To check DC and DNS health, run DCDiag /v to report errors on all DCs in the forest.

Add the global catalog to a domain controller in the forest root domainA global catalog is required for these and other reasons:

To enable logons for users. To enable the Net Logon service running on the DCs in each child domain to register and

remove records on the DNS server in the root domain.

Although it is preferred that the forest root DC become a global catalog, it is possible to elect any of the restored DCs to become a global catalog.

A DC will not be advertised as a global catalog server until it has completed a full synchronization of all directory partitions in the forest. Therefore, the DC should be forced to replicate with each of the restored DCs in the forest.

Monitor the Directory Service event log in Event Viewer for event ID 1119, which indicates that this DC is a global catalog server, or verify the following registry key has a value of 1:

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Promotion Complete

For more information, see Adding the global catalog.

At this stage you should have a stable forest, with one DC for each domain and one global catalog in the forest. You should make a new backup of each of the DCs that you have just restored. You can now begin to redeploy other DCs in the forest by installing AD DS.

Notes Notes

20

Redeploy remaining DCsThe steps up to this point apply to all forests: find a valid backup for each domain, recover the domains in isolation, reconnect them, reset the global catalog, and clean up. In this next step you will redeploy the forest. The way to do this will greatly depend on your forest design, your service level agreements, site structure, available bandwidth, and numerous other factors. You will need to design your own redeployment plan based on the principles and suggestions in this section, in a way that is best suited to your business requirements.

The next step is to install AD DS on all DCs that were present before the forest recovery took place. If the DCs still exist, the AD DS service will need to be removed forcibly, or the DCs can be reinstalled. Any existing backups for these DCs cannot be reused, because the corresponding metadata has been removed during forest recovery. In an uncomplicated environment this redeployment process can be as simple as reconnecting the recovered DCs to the production network, and promoting new DCs as needed.

In a large enterprise faced with a worldwide infrastructure, a more sophisticated plan is needed. The first phase is usually to restore the AD as a service; this means to install strategically placed DCs such that all critical business divisions and applications can start working again. It may be acceptable for branch offices to temporarily have reduced performance as a result of this. As a second phase, all remaining and less critical DCs are redeployed.

There are two methods to install additional DCs, both of which can be automated:

Cloning

For virtualized environments that run Windows Server 2012, cloning is the fastest and simplest way to recover a large number of DCs. You can automate the recovery of all virtualized DCs in a domain after you restore a single virtualized DC from backup.

For more information about cloning and prerequisites, see Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100).

Re-install AD DS by using Windows PowerShell on servers that run Windows Server 2012 (or Dcpromo.exe on servers that run earlier versions of Windows Server) or by using the user interface

To expedite re-installing AD DS, you can use Install from Media (IFM) option to reduce replication traffic during the installation. For more information about using the ntdsutil ifm command to create installation media, see Installing AD   DS from Media .

Consider the following additional points for each replica DC that is recovered in the forest by virtualized DC cloning or by installing AD DS (as opposed to restoring from backup):

All software on a DC that is used as the source for cloning must be able to be cloned. Applications and services that cannot be cloned should be removed before cloning is initiated. If that is not possible, an alternative virtualized DC should be chosen as the source.

If you clone additional virtualized DCs from the first virtualized DC to be restored, the source DC will need to be shut down while its VHDX file is copied. Then it will need to be running and available online when the clone virtual DCs are first started. If the downtime required by the shutdown is not acceptable for the first recovered DC, deploy an additional virtualized DC by installing AD DS to act as the source for cloning.

21

There is no restriction on the host name of the cloned virtualized DC or the server on which you want to install AD DS. You can use a new host name or the host name that was in use previously. For more information about DNS host name syntax, see Creating DNS Computer Names (http://go.microsoft.com/fwlink/?LinkId=74564).

Configure each server with the first DNS server in the forest (the first DC that was restored in the root domain) as the preferred DNS server in the TCP/IP properties of its network adapter. For more information, see Configure TCP/IP to use DNS.

Redeploy all RODCs in the domain, either by virtualized DC cloning if several RODCs are deployed in a central location, or by the traditional method of rebuilding them by removing and reinstalling AD DS if they are deployed individually in isolated located locations such as branch offices.

Rebuilding RODCs ensures that they do not contain any lingering objects and can help prevent replication conflicts from occurring later. When you remove AD DS from an RODC, choose the option to retain DC metadata. Using this option retains the krbtgt account for the RODC and retains the permissions for the delegated RODC administrator account and the Password Replication Policy (PRP), and prevents you from having to use Domain Admin credentials to remove and reinstall AD DS on an RODC. It also retains the DNS server and global catalog roles if they are installed on the RODC originally.

When you rebuild DCs (RODCs or writeable DCs), there may be increased replication traffic during their reinstallation. To help reduce that impact, you can stagger the schedule of the RODC installations, and you can use the Install From Media (IFM) option. If you use the IFM option, run the ntdsutil ifm command on a writeable DC that you trust to be free of damaged data. This helps prevent possible corruption from appearing on the RODC after the AD DS reinstallation is complete. For more information about IFM, see Installing AD DS from Media.

For more information about rebuilding RODCs, see RODC Removal and Reinstallation.

If a DC was running the DNS Server service before the forest malfunction, install and configure the DNS Server service during the installation of AD DS. Otherwise, configure its former DNS clients with other DNS servers.

If you require additional global catalogs to share authentication or query load for users or applications, you can either add the global catalog to the source virtualized DC before cloning or you can make a DC a global catalog server during the installation of AD DS.

CleanupPerform the following post recovery steps as needed:

After the entire forest is recovered, you can revert to the original DNS configuration, including configuration of the preferred and alternate DNS servers on each of the DCs. After the DNS servers are configured as they were before the malfunction, their previous name resolution capabilities will be restored. Delete any DNS records for DCs that have not been recovered.

Delete Windows Internet Name Service (WINS) records for all DCs that have not been recovered.

You can transfer the operations master roles to other DCs in the domain or forest and add more global catalog servers based on the configuration before the failure.

22

Because the entire forest is restored to a previous state, any objects (such as users and computers) that were added and all updates (such as password changes) that were made to existing objects after this point are lost. Therefore, you should re-create these missing objects and reapply the missing updates as appropriate.

You might also need to restore outgoing trusts with external domains and forests, because these external trust relationships are not restored automatically from backups.

Appendix A: Forest Recovery ProceduresThis appendix contains procedures related to the forest recovery process described earlier in this guide. The procedures are applicable for Windows Server 2012, and are also applicable to Windows Server 2008 R2 and Windows Server 2008 with some minor exceptions. Procedures that include steps that vary for Windows Server 2003 are found in Appendix D: Forest Recovery with Windows Server 2003 Domain Controllers.

Backing up a full server Backing up the System State data Performing a full server recovery Performing an authoritative synchronization of DFSR-replicated SYSVOL Performing a nonauthoritative restore of Active   Directory Domain Services

These steps explain how to perform an authoritative restore of SYSVOL at the same time.

Configuring the DNS Server service Removing the global catalog Raising the value of available RID pools Invalidating the current RID pool Seizing an operations master role Cleaning metadata of removed writable domain controllers Resetting the computer account password of the domain controller Resetting the krbtgt password Resetting a trust password on one side of the trust Adding the global catalog Resources to verify replication is working

Backing up a full serverA full server backup is recommended to prepare for a forest recovery because it can be restored to different hardware or a different operating system instance. To perform a full server backup, perform the following procedure using Windows Server Backup. Windows Server Backup is not installed by default. In Windows Server 2012, install it by selecting Windows Server Backup on the Select Features page in the Add Roles and Features Wizard in Server Manager. For steps

23

to install it in Windows Server 2008 and Windows Server 2008 R2, see Installing Windows Server Backup.

1. In Windows Server 2012, open Server Manager, click Tools, and then click Windows Server Backup.

In Windows Server 2008 R2 and Windows Server 2008, click Start, point to Administrative Tools, and then click Windows Server Backup.

2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK.

3. In Windows Server 2012 only, first click Local Backup.4. On the Action menu, click Backup once.5. In the Backup Once Wizard, on the Backup options page, click Different options, and

then click Next.6. On the Select backup configuration page, click Full server (recommended), and then

click Next.7. On the Specify destination type page, click Local drives or Remote shared folder,

and then click Next.8. On the Specify destination type page, choose the backup location as follows:

If you are backing up to a local volume, in Backup destination, select a drive, and then click Next.When you are prompted to exclude the destination volume from the list of items to be backed up, click OK.

If you are backing up to a remote shared folder, do the following:i. Type the path to the shared folder. ii. Under Access Control, select Do not inherit or Inherit to determine access to

the backup, and then click Next.iii. In the Provide user credentials for Backup dialog box, provide the user name

and password for a user who has write access to the shared folder, and then click OK.

9. On the Confirmation page, review your selections, and then click Backup.10. After the Backup Once Wizard begins the backup, click Close at any time. The backup

runs in the background and you can view backup progress at any time during the backup. The wizard closes automatically when the backup is complete.

1. Open an elevated command prompt, type the following command and press ENTER:

wbadmin start backup -backuptarget:<Drive_letter_to store_backup>: -include:<Drive_letter_to_include>: -quiet

To perform a full server backup using Windows Server BackupTo perform a full server backup using Wbadmin.exe

24

Backing up the System State dataA System State backup must be restored to the same operating system instance and hardware. Therefore it is not as flexible during a forest recovery as a full server backup. But a system state backup can be used to perform a non-authoritative restore of AD DS and an authoritative restore of SYSVOL at the same time (using wbadmin.exe), which may be more convenient than the full server restore option.

To back up System State data, complete the following procedures:

Backing up the System State dataUse the following procedure to perform a system state backup on a DC by using Windows Server Backup or wbadmin.exe.

1. In Windows Server 2012, open Server Manager, click Tools, and then click Windows Server Backup.

In Windows Server 2008 R2 and Windows Server 2008, click Start, point to Administrative Tools, and then click Windows Server Backup.

2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK.

3. In Windows Server 2012 only, first click Local Backup.4. On the Action menu, click Backup once.5. In the Backup Once Wizard, on the Backup options page, click Different options, and

then click Next.6. On the Select backup configuration page, click Custom, and then click Next.7. On the Select backup items page:

In Windows Server 2012, click Add Items, click System state, then click Next.In Windows Server 2008 R2 and Windows Server 2008, select the volumes to include in the backup. If you select the Enable system recovery check box, all critical volumes are selected.

As an alternative, you can clear that check box, select the individual volumes that you want to include, and then click Next. Your selection must include the volumes that store the operating system, Ntds.dit, and SYSVOL.

Note If you select a volume that hosts an operating system, all volumes that store system components are also selected.

8. On the Specify destination type page, choose the backup location as follows: If you are backing up to a local volume, in Backup destination, select a drive, and

then click Next.

To perform a system state backup using Windows Server Backup

25

When you are prompted to exclude the destination volume from the list of items to be backed up, click OK.

If you are backing up to a remote shared folder, do the following:i. Type the path to the shared folder. ii. Under Access Control, select Do not inherit or Inherit to determine access to

the backup, and then click Next.iii. In the Provide user credentials for Backup dialog box, provide the user name

and password for a user who has write access to the shared folder, and then click OK.

9. For Windows Server 2008 R2 and Windows Server 2008, on the Specify advanced option page, select VSS copy backup and then click Next,

10. On the Confirmation page, review your selections, and then click Backup.11. After the Backup Once Wizard begins the backup, click Close at any time. The backup

runs in the background and you can view backup progress at any time during the backup. The wizard closes automatically when the backup is complete.

1. Open an elevated command prompt, type the following command and press ENTER:

wbadmin start systemstatebackup -backuptarget:<targetDrive>: -allCritical -quiet

Performing a full server recoveryUse the following procedure to perform a full server recovery for Windows Server 2012. A full server recovery is necessary if you are restoring to different hardware or a different operating system instance. The number drives on the target server needs to be equal to the number in the backup and they need to be the same size or greater.

The target server needs to be started from the operating system DVD in order to access the Repair your computer option. If the target DC is running in a VM on Hyper-V and the backup is stored on a network location, you must install a legacy network adapter.

After you perform a full server recovery, you need to separately perform an authoritative restore of SYSVOL, as described in the next section.

1. Start Windows Setup, specify the Language, Time and currency format, and keyboard options and click Next.

2. Click Repair your computer. If the backup is stored locally, skip to step 6. If the backup is stored on a network location, continue with step 3.

3. Click Troubleshoot, click Command Prompt. 4. Type the following command and press ENTER:

wpeinit

5. To confirm the name of the network adapter, type:

To perform a system state backup using Wbadmin.exe To perform a full server recovery

26

show interfaces

Type the following commands and press ENTER after each command:

netsh

interface

tcp

ipv4

set address "Name of Network Adapter" static IPv4 Address SubnetMask IPv4 Gateway Address 1

For example:

set address "Local Area Connection" static 192.168.1.2 255.0.0.0 192.168.1.1 1

Type quit to return to a command prompt. Type ipconfig /all to verify the network adapter has an IP address and try to ping the IP address of the server that hosts the backup share to confirm connectivity. Close the command prompt when you are done.

6. Click Troubleshoot, click System Image Recovery, and click Windows Server 2012. 7. If you are restoring the most recent local backup, click Use the latest available system

image (recommended) and click Next twice, click Finish, and click Yes to confirm the restore operation.

If you are restoring a different backup, click Select a system image and click Next. 8. Click the name of a local backup file or click Advanced and click Search for a system

image over the network to search for a backup over the network. 9. Type the UNC path to the backup share location (for example, \\server1\backups) and

click OK. You can also type the IP address of the target server, such as \\192.168.1.3\backups.

10. Type credentials necessary to access the share and click OK.11. Select the name of the backup file and click Next. 12. Select the drives in the backup file and click Next. 13. Click Format and repartition disks and click Next. 14. Click Finish, and click Yes to confirm that all disks will be restored.

Performing an authoritative synchronization of DFSR-replicated SYSVOLThere are different ways to perform an authoritative restore of SYSVOL. You can either edit the msDFSR-Options attribute or perform a system state restore using wbadmin –authsysvol. If you have the option to restore a system state backup (that is, you are restoring AD DS to the same hardware and operating system instance) then using wbadmin –authsysvol is simpler. But if you need to perform a bare metal restore, then you need to edit the msDFSR-Options attribute.

27

Use the following steps to perform an authoritative synchronization of SYSVOL (if it is replicated using DFSR) by editing the msDFSR-Options attribute. If SYSVOL is replicated using FRS, see article 290762.

1. Open Active Directory Users and Computers. 2. Click View, and then select Users, Contacts, Groups, and Computers as containers

and Advanced Features.3. In the tree-view, click Domain Controllers, the name of the DC you restored, DFSR-

LocalSettings, and then Domain System Volume. 4. In the Details pane, right-click SYSVOL Subscription, click Properties, and click

Attribute Editor.5. Click msDFSR-Options, click Edit, type 1, and click OK 6. Click OK to close the Attribute Editor.

Performing a nonauthoritative restore of Active Directory Domain ServicesTo perform a nonauthoritative restore, complete the following procedure.

The following procedures use the Wbadmin.exe to perform a nonauthoritative restore of Active Directory or Active Directory Domain Services (AD DS). If you are using a different backup solution or if you intend to complete the authoritative restore of SYSVOL later in the forest recovery process, you can perform an authoritative restore of SYSVOL by using these alternative methods:

If you are using File Replication Service (FRS) to replicate SYSVOL, follow the steps in article 290762 in the Microsoft Knowledge Base, using the BurFlags registry key to reinitialize FRS replica sets, or if necessary, article 315457 315457to rebuild the SYSVOL tree. To determine if SYSVOL is replicated by FRS, see Determining Whether a Domain Controller's SYSVOL Folder is Replicated by DFSR or FRS.

If you are using Distributed File System (DFS) Replication to replicate SYSVOL, see Performing an authoritative synchronization of DFSR-replicated SYSVOL.

Performing a nonauthoritative restoreUse the following procedure to perform a nonauthoritative restore of AD DS and an authoritative restore of SYSVOL at the same time by using wbadmin.exe on a DC that runs Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. The backup must explicitly include system state data; a full server backup that is used for full server recovery will not work. For more information about creating a system state backup, see Backing up the System State data.

Include the -authsysvol switch in your recovery command, as shown in the following example:

To perform an authoritative synchronization of DFSR-replicated SYSVOLTo perform a nonauthoritative restore of AD DS and authoritative restore of SYSVOL using wbadmin.exe

28

wbadmin start systemstaterecovery <otheroptions> -authsysvol

For example:

wbadmin start systemstaterecovery -version:11/20/2012-13:00 -authsysvol

Configuring the DNS Server serviceIf the DNS server role is not installed on the DC that you restore from backup, you must install and configure the DNS server.

Install and configure the DNS Server serviceComplete this step for each restored DC that is not running as a DNS server after the restore is complete.

If the DC that you restored from backup is running Windows Server 2008, you must connect the DC to an isolated network in order to install DNS server. Then connect each of the restored DNS servers to a mutually shared, isolated network. Run repadmin /replsum to verify that replication is functioning between the restored DNS servers. After you verify replication, you can connect the restored DCs to the production network If the DNS server role is already installed, you can apply a hotfix that makes it possible for a DNS server to start while the server is not connected to any network. You should slipstream the hotfix into the operating system installation image during your automated build processes. For more information about the hotfix, see Article 975654 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=184691).

1. Open Server Manager and start the Add Roles Wizard. 2. In the Add Roles Wizard, if the Before You Begin page appears, click Next.3. In the Roles list, click DNS Server, and then click Next.4. Read the information on the DNS Server page, and then click Next.5. On the Confirm Installation Options page, verify that the DNS Server role will be

installed, and then click Install.After the installation, complete the following steps to configure the DNS server.

6. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.7. Create DNS zones for the same DNS domain names that were hosted on the DNS

servers before the critical malfunction. For more information, see Add a Forward Lookup Zone (http://go.microsoft.com/fwlink/?LinkId=74574).

8. Configure the DNS data as it existed before the critical malfunction. For example: Configure DNS zones to be stored in AD DS. For more information, see Change the

Zone Type (http://go.microsoft.com/fwlink/?LinkId=74579). Configure the DNS zone that is authoritative for domain controller locator

(DC Locator) resource records to allow secure dynamic update. For more

Note To install and configure the DNS Server service using Server Manager

29

information, see Allow Only Secure Dynamic Updates (http://go.microsoft.com/fwlink/?LinkId=74580).

9. Ensure that the parent DNS zone contains delegation resource records (name server (NS) and glue host (A) resource records) for the child zone that is hosted on this DNS server. For more information, see Create a Zone Delegation (http://go.microsoft.com/fwlink/?LinkId=74562).

10. After you configure DNS, you can speed up registration of the NETLOGON Records.

Note Secure dynamic updates only work when a global catalog server is available.

At the command prompt, type the following command, and then press ENTER:

net stop netlogon11. Type the following command, and then press ENTER:

net start netlogon

Removing the global catalogUse the following procedure to remove the global catalog from a DC.

Restoring a global catalog server from backup could result in the global catalog holding newer data for one of its partial replicas than the corresponding domain that is authoritative for that partial replica. In such a case, the newer data will not be removed from the global catalog and might even replicate to other global catalog servers. As a result, even if you did restore a DC that was a global catalog server, either inadvertently or because that was the solitary backup you trusted, you should remove the global catalog soon after the restore operation is complete. When the global catalog is removed, the computer removes all its partial replicas.

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

3. Expand the Servers container, and then expand the server object for the DC from which you want to remove the global catalog.

4. Right-click NTDS Settings, and then click Properties.5. Clear the Global Catalog check box.

1. Open an elevated command prompt, type the following command, and press ENTER:

repadmin.exe /options DC_NAME –IS_GC

To remove the global catalog using Active Directory Sites and ServicesTo remove the global catalog using Repadmin

30

Raising the value of available RID poolsUse the following procedure to raise the value of the relative ID (RID) pools that the RID operations master will allocate after that DC is restored. By raising the value of the available RID pools, you can ensure that no DC allocates a RID for a security principal that was created after the backup that was used to restore the domain.

Each domain has an object CN=RID Manager$,CN=System,DC=<domain_name>. This object has an attribute named rIDAvailablePool. This attribute value maintains the global RID space for an entire domain. The value is a large integer with upper and lower parts. The upper part defines the number of security principals that can be allocated for each domain (0x3FFFFFFF or just over 1 billion). The lower part is the number of RIDs that have been allocated in the domain.

In Windows Server 2012, the number of security principals that can be allocated is increased to just over 2 billion. For more information, see Managing RID issuance.

Sample Value: 4611686014132422708 Low Part: 2100 (beginning of the next RID pool to be allocated) Upper Part: 1073741823 (total number of RIDs that can be created in a domain)

When you increase the value of the large integer, you increase the value of the low part. For example, if you add 100,000 to the sample value of 4611686014132422708 for a sum of 4611686014132522708, the new low part is 102100. This indicates that the next RID pool that will be allocated by the RID master will begin with 102100 instead of 2100.

1. At an elevated command prompt, type:

adsiedit.msc

2. Connect do the Default Naming Context, and browse to the following distinguished name path: CN=RID Manager$,CN=System,DC=<domain name>.

3. Open the properties of CN=RID Manager$.4. Select the attribute rIDAvailablePool, click Edit, and then copy the large integer value to

the clipboard.5. Start calculator, and from the View menu, select Scientific Mode.6. Add 100,000 to the current value.7. Using ctrl-c, or the Copy command from the Edit menu, copy the value to the clipboard.8. In the edit dialog of adsiedit, paste this new value.9. Click OK in the dialog, and Apply in the property sheet to update the rIDAvailablePool

attribute.

1. At the command prompt, type the following command, and then press ENTER:

ldp2. Click Connection, click Connect, type the name of RID manager, and then click OK. 3. Click Connection, click Bind, type your administrative credentials, and then click OK.

Note To raise the value of available RID pools using adsiedit and the calculatorTo raise the value of available RID pools using LDP

31

4. Click View, click Tree, and then type the following distinguished name path:

CN=RID Manager$,CN=System,DC=domain name5. Click Browse, and then click Modify. 6. Add 100,000 to the current rIDAvailablePool value, and then type the sum into Values. 7. In Dn, type cn=RID Manager$,cn=System,dc=<domain name>. 8. In Edit Entry Attribute, type rIDAvailablePool. 9. Select Replace as the operation, and then click Enter. 10. Click Run to run the operation.11. To validate the change, select the cn=RID Manager$,cn=System,dc=<domain name>

object and verify then value of the rIDAvailablePool attribute.

Invalidating the current RID poolUse the following procedure to us Windows PowerShell to invalidate the current RID pool on a domain controller. Windows PowerShell is enabled by default on Windows Server 2012 and Windows Server 2008 R2, but not Windows Server 2008 where it must be installed by using Add Features. It can be downloaded to run on Windows Server 2003.

To verify the command completed successfully, check for event ID 16654 (source is Directory-Services-SAM) in the System log in Event Viewer in Windows Server 2012. Earlier versions of Windows do not log this event.

After you invalidate the RID pool, you will receive an error when you first attempt to create security principal (user, computer, or group). The attempt to create an object triggers a request for a new RID pool. Retry of the operation succeeds because the new RID pool will be allocated.

1. Open an elevated Windows PowerShell session, run the following command and press ENTER:

$Domain = New-Object System.DirectoryServices.DirectoryEntry

$DomainSid = $Domain.objectSid

$RootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")

$RootDSE.UsePropertyCache = $false

$RootDSE.Put("invalidateRidPool", $DomainSid.Value)

$RootDSE.SetInfo()

Note To invalidate the current RID pool

32

Seizing an operations master roleUse the following procedure to seize an operations master role (also known as a flexible single master operations (FSMO) role). You can use Ntdsutil.exe, a command-line tool that is installed automatically on all DCs.

1. At the command prompt, type the following command, and then press ENTER:

ntdsutil

2. At the ntdsutil: prompt, type the following command, and then press ENTER:

roles

3. At the FSMO maintenance: prompt, type the following command, and then press ENTER:

connections

4. At the server connections: prompt, type the following command, and then press ENTER:

Connect to server ServerFQDN

Where ServerFQDN is the fully qualified domain name (FQDN) of this DC, for example: connect to server nycdc01.example.com.

If ServerFQDN does not succeed, use the NetBIOS name of the DC.

5. At the server connections: prompt, type the following command, and then press ENTER:

quit

6. Depending on the role that you want to seize, at the FSMO maintenance: prompt, type the appropriate command as described in the following table, and then press ENTER.

Role Credentials Command

Domain naming master Enterprise Admins Seize naming master

Schema master Schema Admins Seize schema master

Infrastructure master

Note After you seize the infrastructure master role, you may receive an error later if you need to run Adprep /Rodcprep. For more

Domain Admins Seize infrastructure master

To seize an operations master role

33

Role Credentials Command

information, see KB article 949257.

PDC emulator master Domain Admins Seize pdc

RID master Domain Admins Seize rid master

After you confirm the request, Active Directory or AD DS attempts to transfer the role. When the transfer fails, some error information appears, and Active Directory or AD DS proceeds with the seizure. After the seizure is complete, a list of the roles and the Lightweight Directory Access Protocol (LDAP) name of the server that currently holds each role appears. You can also run Netdom Query FSMO at an elevated command prompt to verify current role holders.

Note If this computer was not a RID master before the failure and you attempt to seize the RID master role, the computer tries to synchronize with a replication partner before accepting this role. However, because this step is performed when the computer is isolated, it will not succeed in synchronizing with a partner. Therefore, a dialog box appears asking you whether you want to continue with the operation despite this computer not being able to synchronize with a partner. Click Yes.

Cleaning metadata of removed writable domain controllersMetadata cleanup removes Active Directory data that identifies a DC to the replication system.

Use the following procedure to delete the DC objects for DCs that you plan to add back to the network by reinstalling AD DS.

If you are using the version of Active Directory Users and Computers or Active Directory Sites and Services that is included Remote Server Administration Tools (RSAT), metadata cleanup is performed automatically when you delete a DC object.

Deleting a domain controller using Active Directory Users and ComputersWhen you use the version of Active Directory Users and Computers or Active Directory Administrative Center in Remote Server Administration Tools (RSAT), metadata cleanup is performed automatically when you delete the DC object. The server object and the computer object are also deleted automatically.

34

As an alternative, you can also use Active Directory Sites and Services in RSAT to delete a DC object. If you use Active Directory Sites and Services, you must delete the associated server object and NTDS Settings object before you can delete the DC object.

To download RSAT:

Remote Server Administration Tools for Windows 8 Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) Microsoft Remote Server Administration Tools for Windows Vista

The following procedure is the same for DCs that run either Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. The target DC of the metadata cleanup operation can run any version of Windows Server.

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, double-click the domain container, and then double-click the Domain Controllers organizational unit (OU).

3. In the details pane, right-click the DC that you want to delete, and then click Delete.4. Click Yes to confirm the deletion. Select the This Domain Controller is permanently

offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO) check box and click Delete.

5. If the DC was a global catalog server, click Yes confirm that the deletion.

Resetting the computer account password of the domain controllerUse the following procedure to reset the computer account password of the DC.

1. At a command prompt, type the following command, and then press ENTER:

netdom help resetpwd

2. Use the syntax that this command provides for using the Netdom command-line tool to reset the computer account password, for example:

netdom resetpwd /server:domain controller name /userD:administrator /passwordd:*

Where domain controller name is the local DC that you are recovering.

Note You should run this command twice.

To delete a domain controller object using Active Directory Users and Computers in RSAT

To reset the computer account password of the domain controller

35

Resetting the krbtgt passwordUse the following procedure to reset the krbtgt password for the domain. The following procedure applies writeable DCs, but not read-only domain controllers (RODCs).

If you plan to recover RODCs online during the forest recovery, do not delete the krbtgt accounts for the RODCs. The krbtgt account for an RODC is listed in the format krbtgt_number.

If you use a customized password filter (such as passfilt.dll) on a DC, then you might receive an error when you try to reset the krbtgt password. For more information, including a workaround, see Microsoft Knowledge Base article 2549833 (http://support.microsoft.com/kb/2549833).

1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers.

2. Click View, and then click Advanced Features.3. In the console tree, double-click the domain container, and then click Users.4. In the details pane, right-click the krbtgt user account, and then click Reset Password.5. In New password, type a new password, retype the password in Confirm password,

and then click OK. The password that you specify is not significant because the system will generate a strong password automatically independent of the password that you specify.

NotesYou should perform this operation twice. The password history of the krbtgt account is two, meaning it includes the two most recent passwords. By resetting the password twice you effectively clear any old passwords from the history, so there is no way another DC will replicate with this DC by using an old password.

Resetting a trust password on one side of the trustIf the forest recovery is related to a security breach, use the following procedure to reset a trust password on one side of the trust. This includes implicit trusts between child and parent domains as well as explicit trusts between this domain (the trusting domain) and another domain (the trusted domain).

Reset the password on only the trusting domain side of the trust, also known as the incoming trust (the side where this domain belongs). Then, use the same password on the trusted domain side of the trust, also known as the outgoing trust. Reset the password of the outgoing trust when you restore the first DC in each of the other (trusted) domains.

Important To reset the krbtgt password

36

Resetting the trust password ensures that the DC does not replicate with potentially bad DCs outside its domain. By setting the same trust password while restoring the first DC in each of the domains, you ensure that this DC replicates with each of the recovered DCs. Subsequent DCs in the domain that are recovered by installing AD DS will automatically replicate these new passwords during the installation process.

1. At a command prompt, type the following command, and then press ENTER:

netdom experthelp trust

2. Use the syntax that this command provides for using the NetDom tool to reset the trust password.

For example, if there are two domains in the forest—parent and child—and you are running this command on the restored DC in the parent domain, use the following command syntax:

netdom trust parent domain name /domain:child domain name /resetOneSide /passwordT:password /userO:administrator /passwordO:*

When you run this command in the child domain, use the following command syntax:

netdom trust child domain name /domain:parent domain name /resetOneSide /password:password /userO:administrator /passwordO:*

Note passwordT should be the same value on both sides of the trust. Run this command only once (unlike the netdom resetpwd command) because it automatically resets the password twice.

Adding the global catalogUse the following procedure to add the global catalog to a DC.

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

3. Expand the Servers container, and then expand the server object for the DC to which you want to add the global catalog.

4. Right-click NTDS Settings, and then click Properties.5. Select the Global Catalog check box.

1. Open an elevated command prompt, type the following command, and press ENTER:

To reset a trust password on one side of the trust To add the global catalog To add the global catalog using Repadmin

37

repadmin.exe /options DC_NAME +IS_GC

The following are ways to speed up the process of adding the global catalog to the DC in the root domain:

Ideally, the DC in the root domain should be a replication partner of the restored DCs in the non-root domains. If so, confirm that the Knowledge Consistency Checker (KCC) has created the corresponding repsFrom object for the source DC and partition in the root DC. You can confirm this by running the repadmin /showreps /v command.

If there is no repsFrom object created, create this object for the configuration partition. This way, the DC in the root domain can determine which DCs in the non-root domain have been deleted. You can do this with the following commands:

repadmin /add ConfigurationNamingContext DestinationDomainController SourceDomainControllerCNAME

repadmin /options DSA -Disable_NTDSCONN_XLATE

The format for the SourceDomainControllerCNAME is:

sourceDCGuid._msdcs.root domain

For example, the repadmin /add command for the configuration partition of the contoso.com domain could be:

repadmin /add cn=configuration,DC=contoso,DC=com DC01 937ef930-7356-43c8-88dc-8baaaa781cf6._msdcs.dDSP17A22.contoso.com

If the repsFrom object is present, try to sync the DC in the root domain with the DC in the non-root domain as follows:

Repadmin /sync DomainNamingContext DestinationDomainController SourceDomainControllerGUID

Where DestinationDomainController is the DC in the root domain and SourceDomainController is the restored DC in the non-root domain.

The root domain DNS server should have the alias (CNAME) resource records for the source DC. Ensure that the parent DNS zone contains delegation resource records (name server (NS) and host (A) resource records) for the correct DCs (the DCs that have been restored from backup) in the child zone.

Make sure that the DC in the root domain is contacting the correct Key Distribution Center (KDC) in the non-root domain. To test this, at the command prompt, type the following command, and then press ENTER:

nltest /dsgetdc:nonroot domain name /KDC /Force

38

Resources to verify replication is workingAfter you have restored or re-installed all DCs, you can verify that AD DS and SYSVOL are recovered and replicating correctly by using repadmin /replsum, which runs on any version of Windows Server.

You can also download and run the Active Directory Replication Status Tool (ADReplStatus), a free tool that monitors replication status of DCs and reports errors. ADReplStatus requires .NET Framework 4, which will be installed if it is not already present.

Check the DFS Replication log in Event Viewer for Event ID 4602 (or File Replication Service event ID 13516), which indicates SYSVOL has been initialized.

If the first recovered DC logs Event ID 4614 (“the domain controller is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner”) in the DFS Replication log, then Event ID 4602 does not appear and you need to perform the following manual steps to recover SYSVOL if it is replicated by DFSR:

1. When DFSR Event 4612 appears on the first restored DC perform a manual authoritative restore as described in 2218556: How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS) (http://support.microsoft.com/kb/2218556).

2. Set SysvolReady Flag to 1 manually, as described in 947022 The NETLOGON share is not present after you install Active Directory Domain Services   on a new full or read-only Windows Server 2008-based domain controller.

You can also create a diagnostic report DFS Replication. For more information, see Create a Diagnostic Report for DFS Replication and DFS Step-by-Step Guide for Windows Server 2008. If the server is running Windows Server 2008 R2, you can use dfsrdiag.exe ReplicationState command line switch.

You can also run the Replications test using dcdiag.exe to check for replication errors. For more information, see Knowledge Base article 249256.

Appendix B: Frequently Asked QuestionsThis appendix contains frequently asked questions (FAQs) regarding forest recovery:

What can I do to speed up recovery? Can I automate the forest recovery process?

What can I do to speed up recovery?Although speed of recovery is not the primary goal of this guide, you can achieve shorter recovery times by:

Creating a detailed forest recovery plan, updating it on a regular basis, and practicing it in a simulated test environment of reasonable size at least once a year

Tip

39

Using virtualized domain controller (DC) cloning

Virtualized DC cloning expedites the process to get additional DCs running after one DC is restored from backup in each domain. The additional virtualized DCs can be cloned rather than waiting for potentially lengthy AD DS installations to be completed and for the completion of non-critical replication after installation.

Forests where virtual DCs are hosted in a relatively small number of well-connected data centers potentially benefit most from cloning during recovery. However, any environment where multiple virtualized DCs for the same domain are co-located on the same hypervisor host should benefit.

Deploying read-only domain controllers (RODCs)

RODCs can provide business continuity during the recovery process because they do not have to be disconnected from the network as writable DCs do. RODCs do not perform outbound replication. Therefore, they do not present the same risk that writable DCs pose for replicating damaging data back into the recovered environment.

Other factors that affect the duration of the forest recovery process include the following:

When you restore DCs from backups, it takes time to: Locate the physical backup media, such as tapes. Reinstall the operating system. Restore data from backup media.

You can reduce the time required to reinstall the operating system and restore data from backup by performing full server recovery instead of system state restore. Because full server recovery is binary-based, it completes much faster than system state restore.

However, if the server contains data that is excluded from system state data that you do not want to restore, full server recovery might not be a viable alternative to system state restore. Consider the advantages of performing a full server recovery instead of a system state restore for your servers specifically, and prepare accordingly by performing the appropriate type of backup that you plan to restore later.

When you rebuild DCs, it takes time to replicate data for network-based promotions.

You can decrease the time required for restoring DCs by performing the following steps:

Reduce the time for retrieving backup media by: Using the Active Directory Database Mounting Tool (Dsamain.exe) to identify the best

backup to use for restore operations. For more information about using the Active Directory Database Mounting Tool, see the Active   Directory Database Mounting Tool Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=132577).

Labeling the backup media clearly and storing the media in an organized fashion at a convenient, yet secure, location that allows fast retrieval.

Using the Volume Shadow Copy Service with a storage area network (SAN) to maintain backups from different points in time. For more information, see Windows   Server   2003 Active   Directory Fast Recovery with Volume Shadow Copy Service and Virtual Disk Service (http://go.microsoft.com/fwlink/?LinkId=70781).

40

Force the removal of AD DS from the DCs instead of reinstalling the operating system. If the cause of the forest-wide failure has been identified to be purely within the scope of AD DS, you do not have to reinstall the operating system on the DCs.

For more information about forcing the removal of AD DS from a DC that runs Windows Server 2008 or later, see Forcing the Removal of a Windows   Server   2008 Domain Controller (http://go.microsoft.com/fwlink/?LinkId=132627). For more information about forcing the removal of AD DS from a DC that runs Windows Server 2003, see article   332199 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=70780).

Use faster tape devices or disk backups to reduce the time that is required for restore operations.

You can also help accelerate AD DS installations by using the Install from Media (IFM) feature to rebuild DCs in each domain. IFM reduces the replication latency that is incurred when you rebuild DCs in each domain.

Businesses that have a more aggressive service-level agreement (SLA) might consider altering the forest recovery procedures to speed recovery.

Can I automate the forest recovery process?Because of the complex and critical nature of the forest recovery process, there is currently no end-to-end automation of it. The forest recovery process is more a logistical and organizational challenge of restoring business continuity than a technical problem of process automation. Therefore, the individual who administers the environment should create a forest recovery plan that is specific to that environment and then automate sections of it that can be automated successfully.

You can perform most of the forest recovery steps by using command-line tools. Therefore, most of the steps are scriptable. For example, Ntdsutil.exe is one of the most frequently used tools in the forest recovery process.

Although scripts can speed recovery, you must thoroughly test these scripts before you apply them in a real environment. Also, you must update them according to changes in the Active Directory environment, such as the addition of a new domain or DC, or a new version of Active Directory.

Appendix C: Recovering a Single Domain within a Multidomain ForestThere can be times when it is necessary to recover only a single domain within a forest that has multiple domains, rather than a full forest recovery. This topic covers considerations for recovering a single domain and possible strategies for recovery.

A single domain recovery presents a unique challenge for rebuilding global catalog (GC) servers. For example, if the first domain controller (DC) for the domain is restored from a backup that was

41

created one week earlier, then all other GCs in the forest will have more up-to-date data for that domain than the restored DC. To re-establish GC data consistency, there are a couple options:

Unhost and then rehost all GCs in the forest, except those in the recovered domain, at the same time.

Follow the forest recovery process to recover the domain, and then remove lingering objects from GCs in other domains.

The following sections provide general considerations for each option. The complete set of steps that need to be done for the recovery will vary for different Active Directory environments.

Rehost all GCsRehosting all GCs can be done using repadmin /unhost and repadmin /rehost commands (part of repadmin /experthelp). You would run the repadmin commands on every GC in each domain that is not recovered.

The password of the built-in Administrator account for all domains must be ready for use in case a problem prevents access to a GC for logon.

This option can be advantageous for a small organization that has only a few domain controllers for each domain. All of the GCs could be rebuilt on a Friday night and, if necessary, complete replication for all read-only domain partitions before Monday morning. But if you need to recover a large domain that covers sites across the globe, rehosting the read-only domain partition on all GCs for other domains can significantly impact operations and potentially require down time.

Remove lingering objectsSimilar to the forest recovery process, you restore one DC from backup in the domain that you need to recover, perform metadata cleanup of remaining DCs, and then re-install AD DS to build out the domain. On the GCs of all other domains in the forest, you remove the lingering objects for the read-only partition of the recovered domain.

The source for the lingering object cleanup must be a DC in the recovered domain. To be certain that the source DC does not have any lingering objects for any domain partitions, you can remove the global catalog if it was a GC.

Removing lingering objects is advantageous for larger organizations that cannot risk the down time associated with the other options.

For more information, see Use Repadmin to remove lingering objects.

Warning

42

Appendix D: Forest Recovery with Windows Server 2003 Domain ControllersThis topic includes forest recovery procedures for domain controllers (DCs) that run Windows Server 2003. The general process for forest recovery is no different with Windows Server 2003 DCs, but specific procedures can differ because of different tools. For example, Ntdsutil.exe can be used to backup and restore DCs that run Windows Server 2003 DCs, whereas Windows Server Backup or Wbadmin.exe is used for DCs that run Windows Server 2008 or later.

Backing up the System State data Performing a nonauthoritative restore Install and configure the DNS Server service

Backing up the System State dataUse the following procedure to back up the System State data, along with any other data you have selected for the current backup operation, of a DC that runs Windows Server 2003. Windows Server 2003 includes the Ntbackup tool, which you can use to back up System State data.

Membership in Administrators or Backup Operators, or equivalent, is the minimum required to back up files and folders. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

If you are backing up the System State data to a tape, and the Backup program indicates that there is no unused media available, you might have to use Removable Storage. This adds your tape to the free media pool so that Backup can use it.

You can only back up the System State data on a local computer. You cannot back it up on a remote computer.

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

2. On the Welcome page, click Advanced Mode.3. On the Backup tab, select the check box for any drive, folder, or file that you want to

back up.4. Select the System State check box.5. Click Start Backup.

To back up the System State data on a domain controller that runs Windows Server 2003

43

Performing a nonauthoritative restoreUse the following procedure to perform a nonauthoritative restore of a DC that runs Windows Server 2003. By performing a nonauthoritative restore on Active Directory in Windows Server 2003, you automatically perform a nonauthoritative restore of SYSVOL. No additional steps are required.

If you are also reinstalling the Windows Server 2003 operating system, you might or might not join the computer to the domain and you can give any name to the computer during setup of the operating system. Do not install Active Directory. After reinstalling the operating system, go directly to step 4.

On Windows Server 2003 domain controllers where you have restored only system state data, you need to also reinstall any software applications that were running on DCs before recovery. Restoring AD DS on the first DC in the domain also restores the registry because they both are part of System State data. Keep this in mind if you had any applications running on these DCs and if they had any information stored in the registry.

To save time required to re-install software, determine if applications that need to be installed on the DCs are compatible with virtual DC cloning. Such applications can be installed on the source DC prior to cloning in order to save the time and effort required to install them on the cloned virtual DCs.

1. After you start the DC, press F8 to restart the computer in Directory Services Restore Mode (DSRM).

2. Select Directory Services Restore Mode (Windows domain controllers only).3. Select the operating system that you want to start in restore mode.4. Log on as an administrator (you can only use a local computer account, no domain logon

option is available).5. At a command prompt, type ntbackup, and then press ENTER.6. On the Welcome page, click Advanced Mode, and then select the Restore and

Manage Media tab. (Do not select Restore Wizard.)7. Select the appropriate backup file to restore from and ensure that the System disk and

System State check boxes are selected.8. Click Start Restore.9. When the restore operation is complete, restart the computer.

Use the following procedure to perform an authoritative (also known as primary) restore of SYSVOL on a DC that runs Windows Server 2003. Perform this procedure only on the first Windows Server 2003 DC that is restored in the domain.

1. Perform steps 1 through 8 in the previous procedure. 2. In the Confirm Restore dialog box, click Advanced.3. To perform an authoritative restore of SYSVOL, select the check box When restoring

replicated data sets, mark the restored data as the primary data for all replicas.

Note To perform a nonauthoritative restore To perform an authoritative restore of SYSVOL

44

NotesMarking the restored data as the primary data in the Backup is equivalent to setting the BurFlags entry to D4 under the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID

4. When the restore operation is complete, restart the computer.

Install and configure the DNS Server serviceIf the DC that you restored from backup is running Windows Server 2003, you can install DNS server without connecting the DC to any network.

1. Open Windows Components Wizard. To open the wizard: Click Start, click Control Panel, and then click Add or Remove Programs. Click Add/Remove Windows Components.

2. In Components, select the Networking Services check box, and then click Details.3. In Subcomponents of Networking Services, select the Domain Name System (DNS)

check box, click OK, and then click Next.4. If you are prompted, in Copy files from, type the full path of the distribution files, and

then click OK.

After the installation, complete the following steps to configure the DNS server.

5. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.6. Create DNS zones for the same DNS domain names that were hosted on the DNS

servers before the critical malfunction. For more information, see Add a Forward Lookup Zone (http://go.microsoft.com/fwlink/?LinkId=74574).

7. Configure the DNS data as it existed before the critical malfunction. For example: Configure DNS zones to be stored in AD DS. For more information, see Change the

Zone Type (http://go.microsoft.com/fwlink/?LinkId=74579). Configure the DNS zone that is authoritative for domain controller locator

(DC Locator) resource records to allow secure dynamic update. For more information, see Allow Only Secure Dynamic Updates (http://go.microsoft.com/fwlink/?LinkId=74580).

8. Ensure that the parent DNS zone contains delegation resource records (name server (NS) and glue host (A) resource records) for the child zone that is hosted on this DNS server. For more information, see Create a Zone Delegation (http://go.microsoft.com/fwlink/?LinkId=74562).

9. After you configure DNS, at the command prompt, type the following command, and then press ENTER:

net stop netlogon10. Type the following command, and then press ENTER:

To install and configure the DNS Server service

45

net start netlogon

Note Net Logon will register the DC Locator resource records in DNS for this DC. If you are installing the DNS Server service on a server in the child domain, this DC will not be able to register its records immediately. This is because it is currently isolated as part of the recovery process, and its primary DNS server is the forest root DNS server. Configure this computer with the same IP address as it had before the disaster to avoid DC service lookup failures.

Additional ResourcesThis section contains additional resources related to forest recovery.

The following resources are useful for recovering domain controllers that run Windows Server 2012:

Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100) Maintaining Business Continuity of Virtualized Environments with Hyper-V Replica: scenario

overview. For more information about setting up Hyper-V Replica, see Deploy Hyper-V Replica Remote Server Administration Tools for Windows 8

The following resources are useful for recovering domain controllers that run Windows Server 2008 R2 or Windows Server 2008:

Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) Microsoft Remote Server Administration Tools for Windows   Vista

(http://go.microsoft.com/fwlink/?LinkID=115118) Active Directory Database Mounting Tool Step-by-Step Guide

(http://go.microsoft.com/fwlink/?LinkId=132577) Ntdsutil (http://go.microsoft.com/fwlink/?LinkId=132629) Forcing the Removal of a Windows   Server   2008 Domain Controller

(http://go.microsoft.com/fwlink/?LinkID=132627) Installing Active Directory Domain Services from Media (http://go.microsoft.com/fwlink/?

LinkId=132630) Performing an Unscheduled Backup of a Domain Controller (http://go.microsoft.com/fwlink/?

LinkId=132632) Performing a Nonauthoritative Restore of AD   DS (http://go.microsoft.com/fwlink/?

LinkId=132637)

46